I have been visiting Delhi quite a bit of late, meeting several senior government functionaries and attending DSCI's Annual Information Security Summit 2015 on the most recent visit. These trips have left me some strong impressions on what is happening in the security space, especially in relation to policy formulation and execution by the government. No one knows when the former will materialize, and how the latter will happen.

Firstly, DSCI is to be congratulated for its continuing efforts to set the tone of the cybersecurity conversation in the country. But while the intent and the conference agenda at AISS15 was solid and well planned; from attending the sessions - predominantly those with government involvement - it feels like what is happening in the real world is stark, but what is being spoken of in many of these sessions is largely academic. There seem to be considerable disconnects, and conversations with practitioners, consultants and delegates at AISS15 only reinforce this.

Free market dynamics can only do so much, and in the end much of the security ecosystem is driven by risk, awareness and regulation - not altruism.

Traction is Missing

While the government mechanism seems to be proactive on many things cybersecurity, there seems to be a lack of traction on the ground. Clearly articulated timelines and objectives viz security are missing. Intent is clearly there - budgets have been allocated and multiple drives and initiatives announced. However, no one seems to have a clue how execution will move forward - or else the government won't say. (Also listen to: Digital India: Traction Awaited on Security)

If it is the latter, then it speaks to a culture of secrecy that has left practitioners and concerned citizens confused as to India's stance toward cybersecurity. There is a general reluctance to share or publically articulate what the current landscape and circumstances are in this space. For instance, while much fanfare surrounds the Cyber Security Task Force being run by NASSCOM (which has yet to share its recommendations with the government, btw), the CSTF initiative is being confused with a program that will improve cybersecurity domestically, while the clear intent is to export security services and products. That's an irony in itself - after all, if efforts to improve the domestic situation dont bear fruit, how can security be demonstrated to the global market? (Also listen to: CyberSec Task Force: 'A Significant Move')

India's growth story in the software and services space is being used as an example for what we can achieve in cybersecurity. However, the reasons those industries blossomed and won global acclaim may not be the same as the reasons why the world should start buying security from India. Even though people argue that Indian companies have providing world class SOC support for global entities for a substantial time now, how much impact has that had domestically?

Let's grant that world-class security skillsets exist in India - What is being done to connect these skills to the domestic technology space? In other words, how to you incentivize Indian security practitioners, serving global customers, to step in and join the 'security revolution' to which the establishment is aspiring? (Also listen to: Cybersecurity: Is India Getting it Right?)

Free market dynamics can only do so much, and in the end much of the security ecosystem is driven by risk, awareness and regulation - not altruism.

Community Concerned

Even now, while India forges ahead with ambitious projects such as Digital India, policy is being painted in broad strokes, which might mean that the nuances that security needs may be largely being neglected. One senior policy researcher shares that security is not even part of the Digital India meetings he attends. "It hasn't come up in our discussions so far," he says. This should spark concerns that massive undertakings such as Digital India and others should not become a classic case of bolt-on security.

Moreover, while disparate organizations continue disparate efforts to write policy, legislation and guidelines, where is the unifying strategy, command and control that will coalesce these efforts into a functioning whole? And the less said about the turf wars in this space between government agencies, the better. (Also listen to: Why India's Cyberlaw Must Rapidly Evolve)

Let's face it: India and information security have not exactly been bedfellows. Usually, the policy debates around cybersecurity take a piecemeal approach, and tend to favour positions depending on public perception. The government's approach is based on legacy thinking, and anyone knowing the spelling of cybersecurity and having a string of certification alphabets appended to their name is dubbed an expert, an observer asserts.

Rather than release guideline after guideline, the government must provide true leadership and direction in the cybersecurity space - in keeping with global trends. For instance, as a senior thought leader shares, one such set of guidelines, released by the National Critical Information Infrastructure Protection Center, seem to borrow from existing enterprise standards rather than taking a strategic world view. And even there, critical aspects such as the need to protect data are missing. ICS/SCADA security - an obviously very important part of critical infrastructure protection - is given an abysmally low level of importance, he informs.

"It is apparent that the person who has written this is not familiar with ICS and hopes that the critical infrastructure organization team will take care of it on their own," the gentleman says. Our biggest threat is the lack of awareness at all levels, and there is a refusal to accept this reality, he says. We are taking the Internet for granted and living in our own cocoon, thinking that what's happening today globally - the massive, high-profile breaches - cannot happen to us, he fears.

To sum up, strong leadership and direction from those making decisions and framing public policy and legislation in India form an urgent need. If this need goes unmet, then ambitions such as Digital India, Smart Cities, et al, will be brought to their knees before they can achieve critical mass.

Or taking a pragmatic view, maybe that is what it will take before security maturity becomes a prerequisite to implementing technology in India.

About the Author

Haran has been a technology journalist in the Indian market for close to six years, specializing in information security. He has driven industry events such as the India Computer Security Conference (ICSC) and the Ground Zero Summit 2013. Prior to joining ISMG, Haran was a correspondent with TechTarget and InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.